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Abstract 

An important problem of modern cryptography concerns secret public-key com- 
putations in algebraic structures. We construct homomorphic cryptosystems being 
(secret) epimorphisms / : G — > H, where G, H are (publically known) groups and 
H is finite. A letter of a message to be encrypted is an element h £ H, while 
its encryption g € G is such that f{g) = h. A homomorphic cryptosystem allows 
one to perform computations (operating in a group G) with encrypted information 
(without knowing the original message over H). 

In this paper certain homomorphic cryptosystems are constructed for the first 
time for non-abelian groups H (earlier, homomorphic cryptosystems were known 
only in the Abelian case). In fact, we present such a system for any solvable (fixed) 
group H. 

1 Introduction 

In what follows all the groups are presented in some natural way depending on the prob- 
lem. For example, the special constructions of Section are based on the groups Z+ 
and Z* just given via n, whereas the general construction of Section [3] requires only that 
elements of a group in question can be generated and moreover, the multiplication and 
taking the inverse in the group can be performed efficiently. In the latter case the groups 



can be presented by generators and relations or even by generic algorithms (see e.g. [[14)). 

There is a lot of public-key cryptosystems using groups (see e.g. @, [II], [12], [15|, [2]] ) 
but only a few of them have a homomorphic property in the sense of the following definition 
(cf. also 0, 
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Definition 1.1 Let H be a finite non-identity group, G a finitely generated group and 
f : G — > H an epimorphism. Suppose that R is a set of distinct representatives of the 
right cosets ofG with respect to ker(f), A is a set of words in some alphabet and a mapping 
P : A — ► G such that im(P) = ker(/). A triple S = (R,A,P) is called a homomorphic 
cryptosystem over H with respect to f , if the following conditions are satisfied: 

(HI) one can get random elements (of the sets A,G,H), compute the inverse of an ele- 
ment and the product of two elements (in the group G or H) in polynomial in N 
probabilistic time where N is the size of presentations of G,H and A; 

(H2) \R\ = \H\ and for any element g G R its image f(g) as well as for any element 
h G H its unique preimage g G R such that f(g) = h can be computed in polynomial 
in N probabilistic time; 

(H3) the mapping P is a trapdoor function. 

Remark 1.2 We require that the set R is given explicitly by a list of elements of G. So, 
condition (H2) implies that without loss of generality one can assume that the group H is 
represented by its multiplication table. 

Condition (H3) means (see ||) that the values of P can be computed in polynomial in 
TV probabilistic time, whereas finding of the inverse mapping P~ l is a hard computational 
problem which can be solved with the help of some additional secret information (for 
instance, knowing some invariant of the group G). In a homomorphic cryptosystem S 
the elements of H are (publically) encrypted in a probabilistic manner by the elements 
of G, all the computations are performed in G and the result is decrypted to H. More 
precisely: 

Public Key: G, H, R, A, P, f\ R . 
Secret Key: finding P _1 . 

Encryption: given a plaintext h G H take r G R such that f(r) = h (invoking (H2)) 
and a random element a G A; the ciphertext of h is the element P(a)r of G (the element 
a as well as the product P(a)r is computed by means of (HI)). 

Decryption: given g G G find the elements r G R and a G A such that rg~ x = P(a) (for 
computing P(a) see (H3)); set the plaintext of g to be f(g) = f(r) (the element f(r) is 
computed by means of (H2)). 

One can see that the encryption procedure can be performed by means of public keys 
efficiently However, the decryption procedure is a secret one in the following sense. To 
find the element r one has to solve in fact, the membership problem for the subgroup 
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ker(/) of the group G. We assume that a solution for each instance g' G ker(/) of this 
problem must have a "proof", which is actually an element a G P~ l (g'). Thus, the secrecy 
of the system is based on the assumption that finding an element in the set P~ l (g') is an 
intractable computation problem. On the other hand, our ability to compute P _1 enables 
us to efficiently implement the decryption algorithm. One can treat P as a proof system 
for ker(/) in the sense of ||. Moreover, in case when A is a certain group and P is a 
homomorphism we have the following exact sequence of group homomorphisms 

A^G^H^{\} 

(recall that the exact sequence means that the image of each homomorphism in it coincides 
with the kernel of the next one). 

In the present paper the group H being an alphabet of plaintext messages is always 
finite (and rather small) and given by its multiplication table, while the group G of 
ciphertext messages could be infinite but being always finitely generated. However, the 
infinitness of G is not an obstacle for encrypting (and decrypting) since an element from H 
is encrypted by a finite word in generators of G. For example, in || for an (infinite, non- 
abelian in general) group H given by m generators and relations a natural epimorphism 
/ : F m — > H from a free group F m is considered. Thus, for any element of H one can 
produce its preimages (encryptions) by inserting in a word (being already a produced 
preimage of /) from F m any relation defining H. In other terms, decrypting of / reduces 
to the word problem in H. The main difference with our approach is that we consider free 
products over groups of number-theoretic nature like Z* (rather than given by generators 
and relations). This allows one to provide evidence for difficulty of decryption. 

Definition 1.3 Gcrypt is the class of all finite groups H for which there exists a homo- 
morphic crypto system over H . 

In the context of our definition of a homomorphic cryptosystem the main problem we 
study in this paper is to prove that the class Q CTyp t contains all solvable nonidentity groups 
(see Theorem |3.6| ). 

To our knowledge all known at present homomorphic cryptosystems are more or less 
modifications of the following one. Let n be the product of two distinct large primes of 
size O(logn). Set G = {g G Z* : J n (g) = 1} where J n is the Jacobi symbol, and H = Zij". 
Then given a non-square go G G the triple (R, A, P) where 

R = {l,g }, A = Z* n , P(g):g^g 2 , 

is a homomorphic cryptosystem over H with respect to the natural epimorphism / : G — > 
H with ker(/) = {g 2 : g G Z*} (see ||, §]). We call it the quadratic residue cryptosystem. 
It can be proved (see [§, that in this case finding P~ l is not easier than factoring n, 
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whereas given a prime divisor of n the computation of P~ l can be performed in polynomial 
time in logn. 

It is an essential assumption (being a shortcoming) in the quadratic residue cryp- 
tosystem as well as other cryptosystems cited below that its security relies on a fixed a 
priori (proof system) P. Indeed, it is not excluded that adversary could verify whether 
an element of G belongs to ker(/) avoiding making use of P, for example, in case of the 
quadratic residue cryptosystem that would mean verifying that g G G is a square without 
providing a square root of g. Although, there is a common conjecture that verifying for 
an element to be a square (as well as some power) is also difficult. 

Let us mention that a cryptosystem from [|18j over H = Z+ (for the same assumptions 
on n as in the quadratic residue cryptosystem) with respect to the homomorphism / : 
G — > H where G = Z* 2 and ker(/) = {g n : g G G}, in which A = G and P : g i-» g n , is 
not homomorphic in the sense of Definition |TT] because condition (H3) of it does not hold. 
(Since \G\ < \H\ 2 , one can inverse P in a polynomial time in \H\.) By the same reason 
the cryptosystem from |16| over H = Z+ with respect to the homomorphism / : G —>■ H 
where G = Z* 2(J and ker(/) = {g pq : g G G} (here the integers p, q are distinct large 
primes of the same size) is also not homomorphic (besides, in this system only a part of 
the group H is encrypted). Some cryptosystems over certain dihedral groups were studied 
in 
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We note in addition that an alternative setting of a homomorphic (in fact, isomorphic) 
encryption E (and a decryption D = E^ 1 ) was proposed in ||12|| . Unlike Definition |1.1| 
the encryption E : G — > G is executed in the same set G (being an elliptic curve over 
the ring Z n ) treated as the set of plaintext messages. If n is composite, then G is not a 
group while being endowed with a partially defined binary operation which converts G 
in a group when n is prime. The problem of decrypting this cryptosystem is close to the 
factoring of n. In this aspect |12| is similar to the well-known RSA scheme (see e.g. ||) 
if to interprete RSA as a homomorphism (in fact, isomorphism) E : Z* —> Z*, for which 
the security relies on the difficulty of finding the order of the group Z*. 

We complete the introduction by mentioning some cryptosystems using groups but 
not being homomorphic in the sense of Definition |1.1| . The well-known example is a 
cryptosystem which relies on the Diffie-Hellman key agreement protocol (see e.g. ||). It 
involves cyclic groups and relates to the discrete logarithm problem ||1.4[| ; the complexity of 
this system was studied in [Q. Some generalizations of this system to non-abelian groups 
(in particular, the matrix groups over some rings) were suggested in ]T7J where secrecy was 
based on an analog of the discrete logarithm problems in groups of inner automorphisms. 
Certain variations of the Diffie-Hellman systems over the braid groups were described 
in [|TTJ; here several trapdoor one-way functions connected with the conjugacy and the 
taking root problems in the braid groups were proposed. Finally it should be noted that 
a cryptosystem from |15[ is based on a monomorphism Z+ — > Z* by means of which x is 



encrypted by g x (modn) where n, g constitute a public key; its decrypting relates to the 
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discrete logarithm problem and is feasible in this situation due to a special choice of n 
and m (cf. also 0). 

2 Homomorphic cryptosystems over cyclic groups 

In this section we present an explicit homomorphic cryptosystem over a cyclic group 
of a prime order m whose decription is based on taking m-roots in the group Z* for a 
suitable n G N. It can be considered in a sense as a generalization of the quadratic residue 
cryptosystem over Z^. Throughout this section given nGNwe denote by |n| the size of 
the number n. 

Given m, N G N set T N = {(p, q) : p,q are primes, \p\ — \q\ — N, p < q} and 

D N)m = {neN : n = pq, (p, q) G T N , m\p - 1, GCD(m, q - 1) = 1}. 

From the Dirichlet's theorem on primes in arithmetic progressions [|5] it follows that given 
an odd prime m, the set -Djv, m is not empty for sufficiently large numbers N. 

Let n G -Djv,m f° r some natural number iV and an odd prime m. Then the group 
G = Z* has a (normal) subgroup Go — {g m '■ 9 £ C} the factor by which is isomorphic 
to the group H = Z+. Denote by / the corresponding epimorphism from G to H. The 
mapping 

P:G^G, g»g m (1) 

is obviously a polynomial time computable homomorphism such that im(P) = ker(/). 
Next, any element of the set 

R m>n = {RdG: \f(R)\ = \R\=m} 

is a system of distinct representatives of the cosets of G by G . We observe that given 
the decomposition n = pq one can find an element R G R m ,n in probabilistic time | | "^C 1 ) . 
Indeed, since m is a prime, it suffices to compute a random element s p G Z* such that 
g (p-i)/m _^ ^ an( j an e } emen ^ s ^ ^ 2* then find by the Chineese reminder theorem the 
unique element s G Z* such that s = s p (modp), s = s q (modg), and set R = : i = 

0, . . . , m — 1} for arbitrary elements U G Z* . 

We claim that the triple SN, m ,n = (R, A, P) with arbitrary chosen set R G Rm,n, A = G 
and P defined by ([]]) is a homomorphic cryptosystem over the group H with respect to 
the epimorphism / whenever the following statement is true: 

Assumption (*). For an odd prime m the problem V(m), of finding the m-root in Z* 
with n G given an element R G R m ,n is not easier than the same problem without 

any such R. 
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Let us present the group G by the number n and the group H by the set of its elements. 
Then for the triple Sj\r,ro,n conditions (HI) and (H2) of Definition |1 . 1| are trivially satisfied 
(the image of the above element sH™ with respect to the homomorphism / equals i G Z+) . 
In fact, condition (H3) would follow from the next lemma. 

Lemma 2.1 Let N G N , m be an odd prime and n G D^ tTn . Then 

(1) given primes p and q such that n = pq and an element one can verify whether 
g is an m-power and if it is the case one can find an m-root of g in probabilistic 
polynomial time in N; 

(2) the factoring problem for n is probabilistic polynomial time reducible to the problem 
of finding an m-root in Z*. 



Proof. Throughout the proof we will use the canonical decomposition Z* = Z* x Z* To 
prove statement (1) we make use of Rabin's probabilistic polynomial-time algorithm for 
finding roots of polynomials over finite prime fields (see |19|). Namely, given the primes 
p, q and g G Z* we proceed as follows: 



Step 1. Find the elements g p G Z* and g q G Z* such that g = g p x g q , i.e. 
9p = 9 (modp), g q = g (modg). 

Step 2. By Rabin's algorithm (for a prime field) find some roots h p G Z* and 
h q G Z* of the polynomials x m — g p and x m — g q , respectively. 



Step 3. Output h = h p x h q . 



Observe that the described algorithm fails (at Step 2) if and only if g is not an m-power. 
Since, obviously, h m = h™ x h™ = g p x g q = g, statement (1) of the lemma is proved. 

To prove statement (2) suppose that we are supplied with a probabilistic polynomial- 
time algorithm Q n that given g G Z* computes an m-root Q n (g) of g. The following 
procedure using well-known observations || shows how Q n helps to find the numbers p 
and q. 



Step 1. Randomly choose x G Z* 



Step 2. Set y = Q n (x m ). If x = y, then go to Step 1. 



Step 3. Output q = GCD(a; — y, n) and p = n/q. 
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Let x = x p x x q and y = y p x y q where x p ,y p G Z* and x q , y q G Z*. From Step 2 it follows 
that = y™. On the other hand, since n G D^ m , we have GCD(g — l,m) = 1. Thus 
£g = 2/ g (mod q) and hence 

x = x q = y q = y (modg). 

So, x — y 7^ (modn) is a multiple of q. To complete the proof we note that since 
m = 0(1), the loop of Steps 1,2 terminates with a large probability after a polynomial 
number of iterations-^ 

Unfortunately, we don't know how to apply this lemma without assumption (*) be- 
cause in our case the system SN, m ,n includes the set R G R m ,n- However, from it we obtain 
the following statement. 

Theorem 2.2 Under assumption (*) the triple S^^^ for an odd prime m is a homo- 
morphic cryptosystem over Z+; in particular, the class Q cry pt contains each cyclic group 
of a prime order.u 

We complete the section by mentioning that S^ >m>n can be slightly modified to avoid 
the applying of Rabin's algorithm for finding roots of polynomials over finite fields. In 
principle, to implement the decryption algorithm it suffices to determine whether a given 
number g G G belongs to the group Go or not. However, this can be done by observing 
that (7 G Go iff = 1 (modp) where g v is the component of g in the factor Z* of 

G = z; x z*. 



3 Homomorphic cryptosystems using free products 

3.1. Throughout the section for a set X we denote by W(X) the set of all words in the 
alphabet X. For an element w G W(X) we denote by \w\ the length of w. 

Let Gi, . . . , G m be a set of m > 1 pairwise disjoint finite groups. For i — 1, . . . , m set 

Xi = Gi\ {1 G J, Ki = {xyz G W{X t ) : x,y,z G X h z' 1 = xy}. 

Then Gi = (Xi\ TZi), i.e. Gi is the group given by the set Xj of generators and the set IZi 
of relations. Set X G = U™ and TZ G = U™ {R,^ The group 

G = G 1 * ■ ■ ■ * G m = (X G ; K G ) 



is called the free product of the groups G±, . . . , G m (see [fL3| ). From the definition it follows 



that each element of G can be represented by the uniquely determined (canonical) word 
of Wq = W(Xq) such that no two adjacent letters of it belong to the same set among 
the sets Xj. This enables us to identify G with the subset of Wq consisting of all such 
words. Thus G = {w G Wq '■ w G Wq} where w is the canonical word corresponding to a 



7 



word w. In particular, g = g for all g & G. Due to identifying the groups Gi, . . . j G m and 
G with the corresponding subsets of the set Wg, we will assume below that the identities 
of these groups are equal to the empty word of Wg- 

Suppose we are given epimorphisms fi : Gi — > Ki, i — 1, . . . ,m. Assuming the groups 
Ki, . . . , K m being pairwise disjoint we set K — K\ * ■ ■ ■ * K m and Wk = W(X K ) where 
Xk = U™ 1 (i^j \ {1^}). Then the natural surjection Wg — > Wk replacing the elements 
of Xg by their images in Xk with respect to corresponding induces an epimorphism 

f*:G^K, f*\ Xi = fi, i = l,...,m. (2) 

Moreover, since the conditions = fi define the images of the generators of G, the 

epimorphism /* is the unique epimorphism from G onto K satisfying these conditions. 

3.2. Let us study the kernel of the epimorphism /*. To do this suppose that Ki 
is a cyclic group of a prime order and (Ri, Ai, Pi) is a homomorphic cryptosystem over 
the group Ki with respect to the epimorphism fi : Gi — > Ki, described in Section ||, 
i = 1, . . . , m. Let Wx, w 2 G Wq and x G Gi for some %. By an elementary transformation 
of the word W1XW2 G Wg we mean replacing of x by a certain word x\Pj(aj)x2 where 
X\, Xi G Gi with x = Xix 2 and aj G A,- for some j: 

Wixw 2 — > Wi(xiPj(aj)a;2)w2- (3) 

Denote by Wo the set of all words of Wg which can be obtained from the empty word by 
a sequence of elementary transformations and set Go = {w '■ w G Wo}. 

Lemma 3.1 In the above notations, ker(/*) = Go- 
Proof. First, let w = Wixvj2 where Wi,w^ G Wg and x G Gi for some i, to be a word 
of Wg- Suppose that a word w' G Wq is obtained from w by the elementary transfor- 
mation Then the words w,w' belong or not to the group ker(/*) simultaneously. 
Indeed, 

/V) = f\w,pj^)x 2 w 2 ) = r(w 1 )r(x 1 )r(x 2 )r(w 2 ) = 

f*(w 1 )r(x)f*(w 2 ) = f*(Wxw- 2 ) = f*(w). (4) 

So, the inclusion ker(/*) D Go follows by the induction on the number of elementary 
transformation used for constructing an element of Go- 

Conversely, let w' G ker(/*). Let us prove that w' G Go by the induction on \w'\. If 
\w'\ = 0, then the statement is obvious. Suppose \w'\ > 0. Then w' = wixw 2 for some 
Wi,w 2 G Wq and x G ker(/j) for some i. (Indeed, otherwise since w' = w', we conclude 
that \w'\ = \f*(w')\. So, \f*(w')\ > which contradicts the fact that w' G ker(/*).) So, w' 
is obtained from the word w = WiW 2 of Wq by the elementary transformation @. Since 
w' G ker(/*) from (^) it follows that w G ker(/*). On the other hand, it is easy to see 
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that \w\ < \w\ < \w'\. So, by the induction hypothesis we conclude that W G G . By the 
definition of w this implies that w' G Gq. Thus ker(/*) C Go and we are done.H 

Let g G ker(/*). Then from Lemma |3.1| it follows that g can be obtained from the 
empty word by a sequence of elementary transformations. Moreover, the proof of this 
lemma implies that there exists such a sequence consisting of at most \g\ elementary 
transformations. Any such sequence is called a proof for g (more precisely, a proof of 
the membership of g G ker(/*), cf. (H3) in Definition |1 . 1| ) . It is easy to see that any 
elementary transformation (^) is uniquely determined by the following data: the position 
of the letter x G Gi, the word x\x<ix~ x G TZj and the element aj G Aj. Thus any proof for 
the element g can be represented by a word p in the alphabet N x TZq X (UjAj). One can 
see that in this case \p\ is bounded by a polynomial in \g\. 

We define A* to be the set of all proofs for the elements of ker(/*). It should be stressed 
that A* includes only "short" (consisting of at most \g\ elementary transformations) proofs 
for an element g G ker(/*) and does not contain "proofs" for all words of Wq. For a given s 
one can generate a random element of A* of the length s in time . Indeed, due to the 
definition of the elementary transformation @ it suffices to choose randomly positions 
in a current word and elements of Ai for all i = 1, . . . , m. However, this can be done 
with the help of the algorithms of the homomorphic cryptosystem (Ri, Ai, Pi) over Ki 
(see condition (HI) of Definition |1.1| ). 



Lemma 3.2 The image of the mapping P* : A* — > G defined by P*(a) = g iff a is a proof 
for g, equals ker(/*). Moreover, the following statements hold: 

(11) given a £ A* the element P*{a) can be found in polynomial time in \a\, 

(12) if for each i G {1, . . . , m} there is an oracle Qi which for any element gi G ker(/j) 
produces a certain a, G P j ^ 1 {gi), then given g G ker(/*) a proof a G A* for g can 
be found by means of at most \g\ 2 calls of oracles Qi for P^ 1 (g i ), i = l,...,m, 
g { G ker(/i) ; 

(13) for each i G {1, . . . , m} and g G ker(/j) the problem of finding an element in Pf x (g) 
is polynomial time reducible to the problem of finding an element in (P*) _1 (g). 



Proof. The equality im(P*) = ker(/*) follows from Lemma |3TL Statement (il) follows 
from the fact that any elementary transformation (H) of g G Wq is reduced to finding 
Pj{aj) which can be done in polynomial in \aj\ < \a\ time. To prove statement (i2) one 
can apply the following obvious procedure testing membership of a word w G Wq to the 
set Wq. 

Step 1. Using multiplications in the groups Gi, i = 1, . . . ,m, find the canonical 
word w of the word w. 
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Step 2. Using the oracles Qi, % — 1, . . . ,m, delete any letter x G ker(/j) from the 
(current) word w. If there was at least one deletion, then go to Step 1. 



Step 3. If the resulting word is empty, then w G Wo- 



In fact, this procedure is the algorithmic version of the proof of Lemma |3.1| . To find 
a proof for arbitrary g G ker(/*), it suffices to apply the above procedure to the word 
g G Wg and to collect all results at Steps 1 and 2. Since the number of them is at most 
\g\, and the number of calls the oracles Qi at Step 2 is also at most \g\, statement (i2) 
follows. 

To prove statement (i3) let i G {1, . . . , m} and g G Gj. Then since obviously g G ker(/j) 
iff g G ker(/*), one can test whether g G ker(/j) by means of an algorithm finding (P*) _1 . 
Moreover, if g G ker(/j), then this algorithm yields a proof from A* for the element g. 
Set T to be the set of all elements dj G A{ of elementary transformations ([|) belonging to 
this proof. Then g = Yi a eT P{ a j)- Since the set Aj is an Abelian group and the mapping 
Pi : Ai — > Gi is a homomorphism, this implies that a = FJ a g^rp Qjj IS 9b proof for g and we 
are done.a 

Let us describe a special system of distinct representatives of the right cosets of G 
with respect to ker(/* ). Set W R = W{UiRi). Then Wr C W G and the set 

R* = G n W R (5) 

is a system of distinct representatives of the right cosets of G with respect to ker(/*). 
Indeed, R* consists of all the words of Wr which are canonical words of Wq. So, no two 
elements of R* belong to the same right coset of G with respect to ker(/*). Thus our 
claim follows from the fact that the restriction of the mapping /* on R* is the bijection 
from R* onto K coinciding with /j on Ri, i = 1, . . . , m. 

3.3. We need one more special homomorphism of a free product. To do this we 
recall some facts on semidirect products of groups (see e.g. [fTO] ). Suppose that Ki,K 2 
are groups and <p : K 2 — > Aut(ifi) is a homomorphism. Then the set K\ x K 2 forms a 
group with the multiplication given by 

(h,k 2 )(h,l2) = (h(hy {k "\k 2 l 2 ), h,h G Ki, k 2 ,l 2 G K 2 . 

This group is called a semidirect product of K\ and K 2 (with respect to the homomor- 
phism if) and is denoted by H = n(iTi, K 2 ). One can see that it contains the subgroup K[ 
(isomorphic to Ki) consisting of all pairs with lx 3 _i as the (3 — z)-th coordinate, i = 1,2. 
Moreover, K[ is a normal subgroup of if, K[ n K' 2 = {1h} and H = K[K' 2 . In general, 
if an arbitrary group H have such two subgroups K[,K' 2) then it is isomorphic to the 
semidirect product of them with respect to the homomorphism (p induced by the action 
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of K' 2 on K[ by the conjugation. In what follows we shall identify with K[, i — 1,2. 
We also extend the definition of the semidirect product to arbitrary number of factors by 
means of setting for m > 3 

n^x, K 2 ,..., K m ) = U(K l} U(K 2 , K m )) 

with respect to the suitable homomorphisms </?. Thus H(Ki, . . . , K m ) = H(Ki, K^) where 
= U(K i+ i, . . . , K m ), for alH = 1, . . . , m — 1 (for i = m — 1 we adopt that Tl(K m ) = 
K rn ). In what follows the group H(Ki, K 2 , . . . , K m ) will be "small" and presented by its 
multiplication table. Thus, its subgroups K±, . . . , K m are also small and for a given i the 
homomorphism </?j : IfW _ > Aut(ifj) can be presented by indicating the permutations 
(Pi(k) of the set K { for all k E K^. 

Lemma 3.3 Let H = H(Ki, . . . ,K m ) and K — K±*- ■ -*K m for a set of pairwise disjoint 
finite groups K ± , . . . , K m . Then there exists an epimorphism Q : K — > H such that given 
k G K one can find the element Q{k) in time polynomial in \k\ and \H\. 

Proof. Due to our assumptions we see that the set H as well as the set 

K H = {x^yxy' e W K : xe K {i) , y G K u y' = (x^yx)' 1 , i = 1, . . . ,m - 1} 

are the subsets of the group K. From the definition of the free product it follows that 
the elements of H are distinct elements of the quotient group K obtained from K by 
imposing the set TZh of relations. On the other hand, from the definition of TZh it follows 
that any element k G K can be represented by an element of K of the form k\- ■ - k m for 
some ki G Ki, i = 1, . . . ,m, moreover this representation is unique, since otherwise the 
equality of two such representations one could deduce from the relations TZh which hold 
in the group H as well, but in the group H any two such representations differ. After 
identifying K with the set of all such elements, we see that the mapping 

K — > H, k i— > ki • • • k m 

is an isomorphism. Denote by Q the composition of the natural epimorpism K — > K with 
this isomorphism. Then the mapping Q : K — > H is an epimorphism and given k G K 
the computation of Q(k) consists in a reduction of k modulo the relations of TZh to the 
form hi • • • k m . This can be done by means of the following procedure 

Step 1. If k is the empty word, then output Q(k) = k. 

Step 2. Using the relations x~ x yxy' G TZh with arbitrary x G and y G K 1 

reduce k to the form k\k where k\ G K\ and k G K with K — K 2 * • • • * K m . 
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Step 3. Applying the procedure recursively to k G K and H = K^ 2 \ output 
Q(k) = kxQ{k). 

First, we observe that the length of any intermediate word in the above procedure is 
at most \k\. Next, the number of recursive calls (at Step 3) is at most \m\. Thus the 
procedure can be done in time polynomial in \k\ and \H\. Lemma is proved.* 

3.4. We are ready to describe the main construction of this section. Let Ki, . . . , K m be 
a set of pairwise disjoint cyclic groups of prime orders and H = U(Ki, . . . , K m ). Suppose 
that we are given a homorphic cryptosystem (Ri, A+, Pi) over the group Ki with respect to 
the homomorphism fa : Gi — > Ki from Section pj, % = 1, . . . , m. Without loss of generality 
we assume that the groups Gi are pairwise disjoint. Set G = Gi * ■ ■ ■ * G m . Then from 
the definition of /* (see formula @) and Lemma |3~3| it follows that the mapping / = Qf* 
from G to H is an epimorphism. 

Theorem 3.4 The triple (R, A, P) where R is an arbitrary set of distinct representatives 
of the right cosets of G with respect to ker(f), provided that R fulfils the condition (H2) 
of Definition 



A = {(a, r) G A* x R* : /(r) = 1 H }, P : A -> G, (a, r) i-> P*(a)r 

with A* , P* defined in Subsection \3.2\ and R* defined in ffi), is a homomorphic cryptosys- 
tem over the group H with respect to the homomorphism f : G H . 

Proof. From the definition of R* it follows that given g G G there exist uniquely de- 
termined g G ker(/*) and r G R* such that g = g r. So, f(g) = Q{f*{go)f*{r)) = 
Q{f*{ r )) = f( r )- Thus g G ker(/) iff f(r) = 1. By Lemma \5.2\ this implies that 



im(P) = ker(/). To check the condition (HI) of Definition |1.1| we have to show how 
to get random elements of A. This follows from the remarks before Lemma for ran- 
dom generating elements of A*, whereas the sets i?,, % = 1, . . . ,m, are given explicitly. 
Thus it remains to verify that P is a trapdoor function (i.e. the condition (H3)). 

First, we observe that by statement (il) of Lemma |372| and by Lemma p73| the mapping 
P is polynomial time computable. Second, by condition (H3) for homomorphic cryptosys- 
tems (Ri, Ai, Pi) there exists an algorithm that given i G {1, . . . , m} and gi G Gi efficiently 
finds an element of the set P" 1 ^). Let us show that it suffices to invert P. Indeed, in 
this case given g G G the element f*(g) G K can be found efficiently. Since g = g$r for 
uniquely determined go G ker(/*) and r G R*, and f*(r) = f*(g), one can compute the 
element r and hence the element go = gr^ 1 within the same time. By statement (i2) of 



Lemma |3.2| we can also find an element a G A* such that P*(a) = go. Thus to invert P it 
suffices to test whether f{r) = 1 H holds (if f{r) = 1 H , then (a, r) G A and P(a,r) = g). 
We have f(r) = Q{f*{r)). Next, by condition (H2) for homomorphic cryptosystems 
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(Ri,Ai,Pi) we can find the element f*(r) and so by Lemma 3~3" the element Q(f*(r)), 
and finally test the equality f(r) = 1h- 

Suppose that one can invert P efficiently Let g G G. If g G" ker(/), then obviously 
g ^ ker(/*). Let now g G ker(/) and (a,r) G A be a proof for g, i.e. P*(a)r = g. 
Since r belongs to the right transversal R* of ker(/*) in G, it follows that g G ker(/*) 
iff r = 1q. Moreover, if r = 1q, then obviously P*(a) = g. Thus the problem of finding 
(P*) _1 is polynomial time reducible to the problem of finding P _1 . So by statement (i3) 
of Lemma |3.2| the problem of finding -P" 1 , i = 1, . . . , m, is polynomial time reducible to 
the problem of finding P^ 1 . Thus P is a trapdoor function which completes the proof. ■ 

Observe that one can explicitly produce a set R satisfying the condition of Theorem |3.4| 
(i.e. the condition (H2)). Namely, for each element h G H find a representation h = 



ki---k m where ki G Ki (cf. Subsection p.3|), and take G -Rj such that fifa) = k 



i = 1, . . . , m. Then the set of all elements r±- ■ -r m for all h G H can be chosen as the 
set R. 



From Theorems |2.2j and |3.4j we immediately obtain the following statement. 



Corollary 3.5 Let Ki, . . . , K m be a set of pairwise disjoint cyclic groups of prime orders, 
m > 1. Then Tl{K 1: K m ) G Q cryp t- ■ 

3.5. The special cases of a semidirect product are the direct and wreath products. 
Indeed, in the latter case the resulting group is a semidirect product of the direct power 
of the first group (with the number of the factors being equal to the order of the second 
group) by the second group which acts on the product by permutations of direct factors, 



see e.g. ||10|| . Thus as an immediate consequence of Theorem |3.4j we conclude that the 
class Qcrypt contains direct and wreath products of cyclic groups of prime orders (cf. 



Corollary 3.5). Using this fact we can prove the main result of the paper. 



Theorem 3.6 Any solvable nonidentity group belongs to the class Qcrypt- 

Proof. It is a well-known fact that any solvable group can be constructed from a cyclic 
group of prime order by a sequence of cyclic extensions. On the other hand, from [|T0| , 
Theorem 6.2.8] it follows that any extension of one group by another one is isomorphic 
to a subgroup of the wreath product of them. So it suffices to verify (cf. Corollary |3~5|) 
that any nonidentity subgroup of a semidirect product of cyclic groups of prime orders 
belongs to the class Qcrypt- 

To do this let H G Qcrypt be such a group. Then there exists a homomorphic cryp- 
tosystem S = (R, A, P) over H with respect to some epimorphism / : G — > H. Without 



loss of generality we assume that S is the homomorphic cryptosystem from Theorem |3T4 . 
Given explicitely a non-identity subgroup H' of H set G' = /~ 1 (iif / ), /' = f\c> and 
S' = (Bf, A', P') where R' = Rf] f'^H'), 



A' = {{a, r)eA*x (R*)' : f(r) = 1 H }, P' : A' -> G', (a, r) i-> P*{a)r 
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and (R*)' = {r G R* : f(r) G H'}. Then S' is a homomorphic cryptosystem over H' 
with respect to the homomorphism /' : G' — > if'. Indeed, we present the group G' as a 
subgroup of G generated by the sets im(P') and R ' . (In this presentation of G' we would 
be unable to recognize its elements in G, but we do not need this.) Now the first two 
conditions of the Definition [TTT] are satisfied for S' because they are satisfied for S (to 
generate a random element of A', it suffices to generate a random element r' of (R*)' and 
for this purpose one can generate a random r G R* and set r' = rr where r is the element 
of R' such that f{r)f(j)~ l G if'). Since ker(/') = ker(/), we have im(P') = ker(/') and 
condition (H3) is also satisfied for S f because it is satisfied for S.m 

It should be remarked that the construction of a homomorphic cryptosystem over 
a solvable group H described in this section is rather theoretical. The computational 
complexity of the underlying algorithms is bounded by a polynomial the degree of which 
is a function of \H\. Besides, the size of representing G could be exponential in \H\ due 
to involving wreath products. However, it seems that more careful implementation can 
be developed for small groups. 



From Theorem |3.6| it follows that there exists a homomorphic cryptosystem over the 
group Sym(n) for n < 4. It would be interesting to construct a homomorphic cryptosystem 
over an arbitrary symmetric group, because such a system would provide secret computa- 
tions with any permutation group and moreover an implementation of any boolean circuit 
in the sense of 0. In this connection we remark that every boolean circuit of logarithmic 
depth can be implemented by a polynomial-time computation in an arbitrary nonsolvable 
group (see |l|]). On the other hand, it was proved in Jl] that over an arbitrary nilpotent 
group not any boolean circuit can be implemented. If the group is not nilpotent but is 
solvable, then only an exponential size implementation is known |IJ and it is conjectured 
that one is unable to do better. Thus, if the latter conjecture was wrong, then combining 



with Theorem 3.6 would enable us to encrypt any boolean circuit. 
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